NAT troubles

Ryujin · 2007-01-27 22:57:36

This is driving me crazy! I have set up a dhcp server and it is working wonderfully, but I can't get internet to any of the computers on it, from what I have read I need to set up NAT and IP masqurading in iptables but it just isn't working, I have tried many howtos in the wiki, but I just must be overlooking something becase all I can get working is dhcp! Any help would be graetly appreciated!

Ryujin · 2007-01-28 05:02:48

OK, I think that I am really close, on the client machines when I ping and the like it looks for a long time, but eventually fails, I have nat running in iptables, (I thiink) and dhcp seems to be working, here are my files, anyone know what I still need to do?

/etc/dhcpd.conf:

ddns-update-style none;
# masamune
subnet 17.73.3.0 netmask 255.255.255.0 {
option domain-name-servers 69.144.49.30 , 69.146.17.2 , 69.144.49.29;
option broadcast-address 17.73.3.200;
option subnet-mask 255.255.255.0;
option routers 17.73.3.1;
range 17.73.3.100 17.73.3.199;
}
host Axiom {
hardware ethernet 00:02:B3:2F:BF:15;
fixed-address 17.73.3.120;
}
host Zohar {
hardware ethernet 00:02:B3:32:88:2C;
fixed-address 17.73.3.130;
}

/etc/iptables/iptables.rules

# Generated by iptables-save v1.3.7 on Sat Jan 27 20:57:50 2007
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [548:173176]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [560:85953]
COMMIT
# Completed on Sat Jan 27 20:57:50 2007
# Generated by iptables-save v1.3.7 on Sat Jan 27 20:57:50 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Jan 27 20:57:50 2007
# Generated by iptables-save v1.3.7 on Sat Jan 27 20:57:50 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Jan 27 20:57:50 2007

mouse256 · 2007-01-28 08:53:12

Yeah I'm struggling with this too.
The best I got was just using firestarter and set it up to be dhcp server. According to the website it should do dns translation too, but apparently it doesn't.

BentB · 2007-01-28 13:24:12

Have you enabled routing in your gateway box? What does a

cat /proc/sys/net/ipv4/ip_forward

give you as result?

Ryujin · 2007-01-28 15:43:59

i get a:
1

I will do some research on this, what does it mean? And how do I set up ip_forwarding (If I haven't already)

BentB · 2007-01-28 19:11:10

i get a:
1

This means that you do have routing enabled on your gateway machine. How to do that? Well, on my machine I had to change a line in /etc/sysctl.conf:

# Disable packet forwarding
net.ipv4.ip_forward=0

to

# Enable packet forwarding
net.ipv4.ip_forward=1

You may have done the same at some point in time.

I have taken a look at your firewall rules. I havn't used iptables-save and iptables-restore before so I might be wrong, but the way I interpret your output is that you do not have NAT (masquerading) enabled. I loaded your rules into my machine and found no masquerading rules. I then added one by hand:

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

and when I did a iptables-save I got this (most similar lines are omitted):

# Generated by iptables-save v1.3.7 on Sun Jan 28 19:51:02 2007
*nat
:PREROUTING ACCEPT [8:3103]
:POSTROUTING ACCEPT [27:4638]
:OUTPUT ACCEPT [30:4757]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
....

I hope this gets you going.

Bent

PS Your interface may be something different than eth0. Please change accordingly.

arew264 · 2007-01-28 19:35:31

Have you taken a look at this:
http://wiki.archlinux.org/index.php/Sim … wall_HOWTO

It's a very well explained article on setting up the firewall parts of a router/gateway.
As for the rest, I recommend DNSMasq over dhcpd because it is MUCH easier to configure and also provides dns lookups for you.

EDIT: BTW, with the pings trying then giving the error "Request Timed Out."

This means that your firewall is NOT working and that pings are not working. This probably means your ISP is seeing packets coming from the address 192.168.*.* on their network. The ISP's routers don't know where these packets came from and discard them.

Masquerading is what fixes this and is the core of NAT. It rewrites the source ip of a packet to make it look like you have one computer on the ISP's network, namely the router.

Hope that makes sense.

Last edited by arew264 (2007-01-28 19:40:42)

Ryujin · 2007-01-28 22:08:39

I did that but to no avail, my client computers are definetly sending stuff out because the connections time out, could it be a dns problem, I havend configured anything in dns on the server, and how do I go about using this dnsmasq? Thanks!

arew264 · 2007-01-28 22:25:38

did you set up masquerading in IPTABLES?
If you don't do that, everything else is worthless.
Try pinging 207.67.222.222 for now.

The DNSMASQ config file is commented quite well as I recall. If you look at it it should be pretty self explanatory.

Ryujin · 2007-01-28 23:12:31

I still haven't gotten DNSmasq working, and yes forwarding is enabled, as is masqurading in iptables, when I ping the IP you gave me with dhcpd running it says:
Destination Host Unreachable

And with dnsmasq it says:
network in unreachable

Here is my iptables rules:

# Generated by iptables-save v1.3.7 on Sun Jan 28 14:58:41 2007
*raw
:PREROUTING ACCEPT [5882:403261]
:OUTPUT ACCEPT [8010:9331281]
COMMIT
# Completed on Sun Jan 28 14:58:41 2007
# Generated by iptables-save v1.3.7 on Sun Jan 28 14:58:41 2007
*mangle
:PREROUTING ACCEPT [5882:403261]
:INPUT ACCEPT [5882:403261]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8010:9331281]
:POSTROUTING ACCEPT [8010:9331281]
COMMIT
# Completed on Sun Jan 28 14:58:41 2007
# Generated by iptables-save v1.3.7 on Sun Jan 28 14:58:41 2007
*nat
:PREROUTING ACCEPT [8:3103]
:POSTROUTING ACCEPT [27:4638]
:OUTPUT ACCEPT [30:4757]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sun Jan 28 14:58:41 2007
# Generated by iptables-save v1.3.7 on Sun Jan 28 14:58:41 2007
*filter
:INPUT ACCEPT [5882:403261]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8010:9331281]
COMMIT
# Completed on Sun Jan 28 14:58:41 2007

and my dnsmasq.conf:

interface=eth1
dhcp-range=10.1.1.100,10.1.1.199,12h
dhcp-host=00:02:B3:2F:BF:15,Axiom,10.1.1.20

Last edited by Ryujin (2007-01-28 23:44:20)

arew264 · 2007-01-29 00:49:50

Do you have the gateway you're trying to get working set as the default gateway on the client?
Network Unreachable errors generally signify that you don't have a default gateway set if they come from a client.

Ryujin · 2007-01-29 03:23:36

Hmm, I got rid of the ! in front of gateway in the rc.conf and now when I start the network I get:
SIOCADDRT: File Exists
and the network fails

arew264 · 2007-01-29 03:38:00

Ok, how exactly are you setting this up?
Are you using the arch box as the gateway and windows as clients or do you have two linux boxes?
You need to explain how you want to set this up or it makes no sense to people trying to help you.

Ryujin · 2007-01-29 03:50:22

Heh, sorry
I am setting up the gateway in Arch and the clients are all Arch, I will be trying to set up a windows client latter

arew264 · 2007-01-29 23:10:07

For now, lets try to get the network working without using rc.conf. Just set your interface to dhcp for now and leave the ! in front of gateway.

To set up a static ip address with those conditions, you have to do this, changing the parts in brackets to fit your setup:
ifconfig [eth0] [192.168.0.5] netmask 255.255.255.0 broadcast 192.168.0.255
route add default gw [192.168.0.1]

This assumes that your ethernet card is called eth0, the IP you want to use is 192.168.0.5, and your gateway's ip is 192.168.0.1.

Once you have that, try pinging 208.67.222.222 (sorry, I typoed before, this is the right address).
If you get destination host unreachable, try running:
ifconfig [eth0] up

To formally set your interface as UP in case it wasn't set as up before.
Then try the ping again, and if it doesn't work, post whether it's timing out or giving a network/host unreachable error.

Also, try pinging the host serving as your gateway and post the result.

Arch Linux

#1 2007-01-27 22:57:36

NAT troubles

#2 2007-01-28 05:02:48

Re: NAT troubles

#3 2007-01-28 08:53:12

Re: NAT troubles

#4 2007-01-28 13:24:12

Re: NAT troubles

#5 2007-01-28 15:43:59

Re: NAT troubles

#6 2007-01-28 19:11:10

Re: NAT troubles

#7 2007-01-28 19:35:31

Re: NAT troubles

#8 2007-01-28 22:08:39

Re: NAT troubles

#9 2007-01-28 22:25:38

Re: NAT troubles

#10 2007-01-28 23:12:31

Re: NAT troubles

#11 2007-01-29 00:49:50

Re: NAT troubles

#12 2007-01-29 03:23:36

Re: NAT troubles

#13 2007-01-29 03:38:00

Re: NAT troubles

#14 2007-01-29 03:50:22

Re: NAT troubles

#15 2007-01-29 23:10:07

Re: NAT troubles

Board footer